When would the Maximum Password Age policy be enforced?

I would like to change the Maximum Password Age of our Default Domain Policy from "0" to "90". Will the users be prompted to change the password as soon as the policy change is enabled or will they be prompted 90 days from the day the new policy is enabled?

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The end user will not be prompted to change their password until the 90 days is up, if that is the amount you choose to use.

efingerhut1Author Commented: 2018-03-27

How does the Minimum Password Age policy effect the change? If I change the Max password age from 0 to 90 and leave the Min password age set to 0, when will the users be prompted to change their passwords? Will the policy change be applied to ALL user's passwords, including existing users and new users?

The password age is calculated dynamically based on when the user's password was set the last time.
That means that anybody who set his password for the last time more than 90 days ago (which will probably be most of them if you don't have a maximum age yet), will be asked to change his password immediately.
The default password policy (which has to be applied to the domain root!) will apply to all domain users.
The "password never expires" setting in the user's properties has priority, so make sure it's set for your service accounts before starting with this.

Maximum Password Age security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Minimum Password Age security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.

Yes, the policy change will be applied to all user's passwords, new and old.

efingerhut1Author Commented: 2018-03-27

If I wanted to test the new Password Policy for a couple of users, is it possible to set "password never expires" for all the users except for the users I want to test with? When I am done testing and remove the "password never expires" setting from the rest of the users, will the new policy take effect immediately?

Since this setting overrides the default password policy, that would work.
And, yes, if the policy is still active when you disable the "password never expires", the user will be asked immediately if his password is already older than 90 days.
Or if you're running an AD on 2008 R2 or later (easiest if you have 2012 or later), you can use a fine-grained password policy, which lets you apply the policies to groups or even individual accounts. That way, you can phase it out by adding the users to the respective group with the maximum password age as required.
Step-by-Step: Enabling and Using Fine-Grained Password Policies in ADhttps://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Create a GPO that is enforcing the "password never expires". Make sure the container you point the GPO to has everyone but the few users you want to test with. After you turn the policy off they likely will have to change their passwords.